Revealed: Our picks for the best password strategies

If you’re looking for tips on how to create, recall and manage strong passwords, you would do well to listen to our readers. They don’t seem to have the bad habits that lead to the weak, easily guessed passwords that abound on systems and Web sites everywhere.

Earlier this month, we reported that data security company Imperva had analyzed 32 million passwords stolen from an application developer and listed the 10 passwords most commonly used. At the top of the list was “123456,” the network equivalent of “Joe sent me” at an old-time speakeasy. Most of the rest were equally bad, such as the Web site's name used as a password, and, of all things, “password.” If you visit these folks and they're not home, don't worry: The key is right under the mat.

So we asked our readers for their ideas on creating and managing strong passwords, and made it into a contest. The response was impressive. We received a total of 218 comments to our stories on this issue, and every single one of them was better than “123456.” A lot better, in fact. And we don’t think people were in it for the loot – we humbly offered a T-shirt as the prize – but were more interested in spreading the word on secure authentication practices.

As we count down to our winner, let’s looks at some of the better ideas.

Quite a few readers take an acrostic approach to building their passwords, selecting phrases familiar to them, lines of poetry, song lyrics or recent memories. JCL, an avid golfer, builds passwords based on his most recent good round, something no golfer ever forgets. Another writer bases his on slang words he used in Asia while stationed there in the Army.

Once they have their basic password down, most of our contributors then substitute capital letters and special characters here and there. Using @ for a, and 1 for I, for instance, can keep the substitutions easy to remember.

Some writers stress the importance of password length, pointing out that adding even two added letters makes a password considerably harder to crack. Both BB from Ohio and Michael from Offutt Air Force Base, Neb., recommended using short basic passwords, of three to seven characters, and then repeating them to make a longer password.

And several people, including dmiller of Washington, D.C., recommended using keyboard patterns rather than thinking about specific words or phrases. “I use spatial patterns to create my passwords,” Miller wrote. “The advantage is that all I really have to remember is the starting point, ending point and the pattern. In fact, I probably couldn’t recite the characters of my password from memory if tortured.” Another advantage of this approach is that changing a password requires changing only the starting point, so even if a user wrote down the first character, someone who found the list wouldn’t know what follows.

All solid ideas. But the real trick to password management, as many readers pointed out, is remembering and protecting the passwords for many log-ins. At least one reader mentioned having 128 passwords; several others cited 50. How do they keep them all straight and secure?

Jack Holbrook of Lacey, W.Va., recommended building passwords from a favorite book, based on a combination of page number and line numbers. “You can even keep the page and line number written down and somewhere in plain sight,” he writes. “No one knows your favorite book or where it is located.” (Note to social media mavens: If you use this approach, don’t list your favorite novel on Facebook.)

There also is the more digital approach of using password management tools, recommended by quite a few readers. Ben Walker in Washington, D.C., uses KeePass, a free, open-source tool that was among those reviewed by the GCN Lab (and compared with the old-school, Post-it note method).

Utilities such as KeePass, RoboForm, 1Password and LastPass have the distinct advantage of leaving you with just one strong password to remember – the password to get into the encrypted utility, where the other passwords you need are kept. And you can cut and paste passwords from the list to whatever system or site you’re logging onto, which is a defense against keylogging software.

Of course, no system is perfect, and these tools do create a single point of failure if they’re ever compromised. And if you use multiple computers, you have to have them loaded onto each machine. Still, they do offer a secure, efficient way to keep a long list of passwords.

“While all the suggestions above are good, none are as strong as random generated passwords. I work for a business that stores business and medical records that must be kept secure. Also, we use the cloud for document management. Since any information is only as secure as the password needed to access it, I create 16-24 character passwords, encrypt them on a flash drive that I carry with me at all times, and duplicate in a safe spot, e.g., safe or safety deposit box. I need remember only one password to access the list (and like everyone else, it's a long list) if I've forgotten something. Keeping the flash drive safe and accessible is easier than you might think. Like any other system it takes some adjustment, but I know that my information and my clients' information will remain accessible only to those who are authorized to view it. Of course, we take other precautions. Passwords are only the first step in a long line of security procedures, but one of the most important.”

Ron’s approach covers just about every step security experts recommend. The passwords are strong. He keeps them in an encrypted file, but one that is mobile, so it can travel with him and be used on multiple machines. If he loses it, the files are still encrypted – and he has a backup, so he still has his passwords. And, perhaps most important, he and his organization recognize that passwords are only one part of a secure computing environment.

Whether this system would work with a BlackBerry or other smart phone might be problematic, but, as we said, no system is perfect. However, if you have a lot of passwords and a need for security (which covers practically everyone these days), this system is a good one. Congratulations, Ron. Your T-shirt will be on the way soon.

On a final note, several readers questioned the whole idea of offering password tips. “The first rule about passwords is don’t share your rule,” wrote Larry Frank. “If rules are commonly shared, then systems to crack passwords use those rules to limit their search.”

That’s a fair point, but since our readers offered so many different methods, we figure we have safety in their variety. If you’re looking for a new password method, choose the one you like – just don’t tell anyone.

Or, as Christopher, with tongue in cheek (we think), put it: “I've devised a foolproof method for creating easy-to-remember passwords that are impossible to crack. If I describe it, though, I'd have to kill you.”

Share this Page

Reader Comments

Wed, Mar 2, 2011
Ralph

The problem with passwords is that they are hard to remember and that they can be seen by IT people working at various company websites. If you have a password that you use at Paypal, some help desk person could conceivably believe that you use that password on your Yahoo! mail account. Now the obvious thing to do is to use a different password for each new account. This would be nearly impossible for many people. For instance, I have (or had) over 30 different accounts. After a while, I just used the same password. Now, I have a new strategy that changes with every new account and that is easy to remember. The strategy is I come up with a strong password, such as %^&uH89, then when I come to a new website like Facebook, I use the domain name as part of the password. So the password for only Facebook would be Fa%^&uH89ok. This is easy to remember and a Facebook employee would not be able to use my password at Yahoo.com, because that password is Y%^&uH89oo. Of course, my real strategy is not the easy one I just mentioned; it's a little more complicated but easy to remember and never repetitive. This way no matter what website I am on, I can remember the unique password I have for that website. The example I How is easy, but try a character before the domain, so &fa%^&uH89ok is not as obvious as Fa%^&uH89ook. Anyway, that's my new strategy, better than suing the same (but strong) password in every site

Wed, Aug 18, 2010
ITSO

As an IT Security Specialist, I have some reservations about the use of the flash drive. Since the method of encryption was not specified, I cannot specifically comment on trustworthiness. I'll just point out that early this year, several manufacturers' encrypted flash drives were found to be easily cracked. The mobility is a bigger concern. Is the user allowed to carry the flash drive outside of the office? Besides the possibility of it being lost and subsequently cracked. It is scanned for viruses before being reconnected to the trusted network. (We use a system NOT connected to our network to check very incoming flash drive, cd-rom, etc).
But the really big red flag is the number of people recommending Sticky Passwork, KeePass or Password Agent. What procedures did you use to vet this software? Do you even know where it comes from? How can you possibly trust your security KEYS to a program from the Czech Republic, Ukraine, Germany or Estonia? I would almost suggest you 'write your passwords on a Post-It note and stick it in a locked draw' That way you can be sure it is not mailing itself to a foreign national in the middle of night!
Please don't give me any grief about being a xenophobe. I have enjoyed living and working overseas for most of a decade, including two years in Germany. Prague is a beautiful place and I would love to visit again. The point is that software used to secure the government's networks must be from a TRUSTED SOURCE. We should not be downloading our Anti-Virus protection from the Czech Republic, a Password Manager from the Ukraine or VPN/SSH utilities from North Korea.

Fri, Jul 30, 2010

My problem is administrators. If you have a really strong password, you shouldn't have to keep changing it. The only way to break a phonetically spelled foreign address 40+ characters long, with special characters, is brute force, a Cray, and 10,000 years.

Thu, Jun 3, 2010
Danette

I use Sticky Password and I have no worries about my password management.